InitWare, a portable systemd fork running on BSDs and Linux

(github.com)

167 points sunshine-o | 1 comments | 03 Apr 25 12:11 UTC | HN request time: 0s | source

Show context

exceptione ◴[03 Apr 25 17:18 UTC] No.43572744[source]▶

The list of dropped components is quite large. The cryptsetup, cryptenroll, unified kernel images, kernel signing and systemd-boot work nicely together.

I think Systemd has a view that those things should reliably work together. I do not fancy a revival of the past where the user has to cobble a mesh of hopefully compatible libraries to achieve the same, taking weeks to study the Arch manual and resolving tons of gotcha's, all to be broken by next week's update.

The integration of all this stuff is now actively under test and maintenance with systemd.

And yes, the mentioned services also have an impact on the scope of service managing. Because if you have a unit that depends on a disk that needs to be unencrypted, this has to be resolved somehow in the right time.

I personally have had no need for systemd-resolved, but I think for *desktop* the list of droppable components is not large.

So maybe we should first have a conversation about the *desktop* vs *container-os* purpose?

replies(5): >>43573274 #>>43573308 #>>43573459 #>>43575409 #>>43576185 #

udev4096 ◴[03 Apr 25 18:04 UTC] No.43573274[source]▶

>>43572744 #

systemd has definitely made huge improvements to boot security which not a lot of "systemd haters" see. this is a great post from lennart: https://0pointer.de/blog/brave-new-trusted-boot-world.html

replies(3): >>43574018 #>>43574595 #>>43574860 #

immibis ◴[03 Apr 25 19:56 UTC] No.43574595[source]▶

>>43573274 #

The problem with boot security is that the computer has no way to know its owner from someone who isn't its owner. All it can go on is who was there first. Which, you guessed it, was Lenovo.

I have no problem with secure boot as a concept but I don't know how to implement it so it can't be used to lock you out of your own computer. And an implementation which allows that is worse than no implementation.

replies(4): >>43574869 #>>43574936 #>>43575639 #>>43579535 #

udev4096 ◴[03 Apr 25 20:20 UTC] No.43574869{3}[source]▶

>>43574595 #

sbctl [0] makes secure boot a lot easier. you just enable setup mode from BIOS and it will take care of enrolling and managing the keys. Are you immibis from libera.chat by any chance?

[0] - https://github.com/Foxboron/sbctl

replies(1): >>43579846 #

1. bmacho ◴[04 Apr 25 09:07 UTC] No.43579846{4}[source]▶

>>43574869 #

There was this SixOS presentation[0] 2 months ago of a single man's own distro, among a lot of things he claims that he's created the most secure boot process ever

> On NixOS, either the initrd "secrets" or the software that decrypts them is stored unencrypted on writable media. Ownerbooted sixos closes this loophole without any "trusted computing" voodoo, eliminating all unencrypted storage except for an eeprom whose hardware write-protect pin is connected to ground... coreboot [loads] an immutable pre-kexec kernel from write-protected SPI flash... authenticate the user, decrypt writeable storage, kexec into the post-exec kernel... The speaker runs ownerbooted sixos on his workstations, servers, twelve routers, stockpile of disposable laptops, and on his company's 24-server/768-core buildfarm.

[0] : https://news.ycombinator.com/item?id=42884727

↑